Introduce source.address and destination.address.

elastic · Dec 6, 2018 · 68f0f81 · 68f0f81
1 parent 983befa
commit 68f0f81
Show file tree

Hide file tree

Showing 6 changed files with 56 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -143,6 +143,7 @@ Destination fields describe details about the destination of a packet/event.
 
 | Field  | Description  | Level  | Type  | Example  |
 |---|---|---|---|---|
+| <a name="destination.address"></a>destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.<br/>Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | extended | keyword |  |
 | <a name="destination.ip"></a>destination.ip | IP address of the destination.<br/>Can be one or multiple IPv4 or IPv6 addresses. | core | ip |  |
 | <a name="destination.port"></a>destination.port | Port of the destination. | core | long |  |
 | <a name="destination.mac"></a>destination.mac | MAC address of the destination. | core | keyword |  |
@@ -409,6 +410,7 @@ Source fields describe details about the source of a packet/event.
 
 | Field  | Description  | Level  | Type  | Example  |
 |---|---|---|---|---|
+| <a name="source.address"></a>source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket.  You should always store the raw address in the `.address` field.<br/>Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | extended | keyword |  |
 | <a name="source.ip"></a>source.ip | IP address of the source.<br/>Can be one or multiple IPv4 or IPv6 addresses. | core | ip |  |
 | <a name="source.port"></a>source.port | Port of the source. | core | long |  |
 | <a name="source.mac"></a>source.mac | MAC address of the source. | core | keyword |  |

diff --git a/fields.yml b/fields.yml
@@ -243,6 +243,17 @@
       type: group
       fields:
 
+        - name: address
+          level: extended
+          type: keyword
+          description: >
+            Some event destination addresses are defined ambiguously. The event will
+            sometimes list an IP, a domain or a unix socket.  You should always
+            store the raw address in the `.address` field.
+    
+            Then it should be duplicated to `.ip` or `.domain`, depending on which
+            one it is.
+
         - name: ip
           level: core
           type: ip
@@ -1226,6 +1237,17 @@
       type: group
       fields:
 
+        - name: address
+          level: extended
+          type: keyword
+          description: >
+            Some event source addresses are defined ambiguously. The event will
+            sometimes list an IP, a domain or a unix socket.  You should always
+            store the raw address in the `.address` field.
+    
+            Then it should be duplicated to `.ip` or `.domain`, depending on which
+            one it is.
+
         - name: ip
           level: core
           type: ip

diff --git a/schema.csv b/schema.csv
@@ -21,6 +21,7 @@ container.image.tag,keyword,extended,
 container.labels,object,extended,
 container.name,keyword,extended,
 container.runtime,keyword,extended,docker
+destination.address,keyword,extended,
 destination.bytes,long,core,184
 destination.domain,keyword,core,
 destination.ip,ip,core,
@@ -124,6 +125,7 @@ service.name,keyword,core,elasticsearch-metrics
 service.state,keyword,core,
 service.type,keyword,core,elasticsearch
 service.version,keyword,core,3.2.4
+source.address,keyword,extended,
 source.bytes,long,core,184
 source.domain,keyword,core,
 source.ip,ip,core,

diff --git a/schemas/destination.yml b/schemas/destination.yml
@@ -8,6 +8,17 @@
   type: group
   fields:
 
+    - name: address
+      level: extended
+      type: keyword
+      description: >
+        Some event destination addresses are defined ambiguously. The event will
+        sometimes list an IP, a domain or a unix socket.  You should always
+        store the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which
+        one it is.
+
     - name: ip
       level: core
       type: ip

diff --git a/schemas/source.yml b/schemas/source.yml
@@ -8,6 +8,17 @@
   type: group
   fields:
 
+    - name: address
+      level: extended
+      type: keyword
+      description: >
+        Some event source addresses are defined ambiguously. The event will
+        sometimes list an IP, a domain or a unix socket.  You should always
+        store the raw address in the `.address` field.
+
+        Then it should be duplicated to `.ip` or `.domain`, depending on which
+        one it is.
+
     - name: ip
       level: core
       type: ip

diff --git a/template.json b/template.json
@@ -124,6 +124,10 @@
         },
         "destination": {
           "properties": {
+            "address": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
             "bytes": {
               "type": "long"
             },
@@ -601,6 +605,10 @@
         },
         "source": {
           "properties": {
+            "address": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
             "bytes": {
               "type": "long"
             },